Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Serious Flaws Found in IBM InfoSphere Products

IT security services company SEC Consult on Wednesday disclosed the details of several unpatched vulnerabilities affecting IBM’s InfoSphere DataStage and Information Server data integration tools.

IT security services company SEC Consult on Wednesday disclosed the details of several unpatched vulnerabilities affecting IBM’s InfoSphere DataStage and Information Server data integration tools.

The flaws were reported to the vendor on May 23, but patches still haven’t been released. However, IBM has published advisories for each of the issues, providing recommendations on how to mitigate potential attacks.

SEC Consult discovered the vulnerabilities, which it has collectively classified as critical, in InfoSphere DataStage 11.5, but IBM determined that they also impact InfoSphere Information Server and DataStage versions 9.1, 11.3 and 11.5.

The most serious of the flaws, based on the 8.4 CVSS score assigned by IBM, is CVE-2017-1468. The security hole exists because the Director and Designer clients don’t check file signatures before loading and running executable files, allowing a local attacker to place arbitrary executable files in installation directories and escalate privileges.

Another high severity vulnerability is CVE-2017-1467, a weak authorization issue that allows attackers to execute arbitrary system commands.

“An unauthorized user could intercept communication between client and server, and replay certain DataStage commands without privileged access,” IBM said in its advisory.

An XML External Entity (XXE) injection vulnerability that can be exploited by a remote attacker to obtain arbitrary files from the client system (CVE-2017-1383) has also been classified as high severity.

Advertisement. Scroll to continue reading.

Researchers also discovered that privileged users can trigger a memory dump that could contain highly sensitive information in clear text, including credentials. IBM was also informed that the application loads DLL files from its home directory without verifying them, which could lead to arbitrary code execution.

While patches have not been released for these security holes, IBM has provided mitigation advice for a majority of the issues – mitigations for the DLL hijacking flaw will be made available by November 30.

The tech giant told SEC Consult that the vulnerabilities will be addressed in a new client interface the company is working on.

“SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all vulnerabilities in the Remote Management platform and increase the security for its customers,” SEC Consult said in its advisory.

Related: IBM Patches XSS Flaws in InfoSphere BigInsights

Related: Attackers Can Target Enterprises via GroupWise Collaboration Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.